Slapping the keyboard until something good happens

“Playtime is over, Star Fox!” Err I mean.. “StarCom!”

Star Fox on N64… those where the good ol’ days. Not only do we have to move on from those lengthy joyful summer days playing Star Fox on N64, but also from our free SSL CA friends at StarCom.

StarCom was bought out by a Chinese CA (Wosign) and were caught backdating certificates and issuing certificates for domains that people didn’t own. StarCom certficiates are no longer trusted in Firefox and Chrome. They are in the process of re-issuing new root certs, but for now stay far, far away from them….

StarCom is (well, was) the only competition to Let’s Encrypt in the free certificate space. It is far and away the cheapest direct provider of wildcard certificates (which are impossible to get for free), unless you move into reseller territory. And even their free certificates last four times as long, and don’t require the use of certbot.

Certainly, Let’s Encrypt works great for a lot of peoples’ needs. But for those it doesn’t (and there’s more of them than you might think), this is seriously bad news.

A real bummer – I always liked StarCom because of their approach to charge for verification (with increasing costs for each higher trust level) but not for issuing certs (while still manually checking every cert request, at least for any OV&EV cert in my case).

I used StarCom’s certificates in my labs and even suggested them to a few customers in the past to get around those hefty price tags associated with SSL certificates.

Now that StarCom is SOL, my hand has been forced and I must renew my certificates before my browser starts to yell at me….. Let’s Encrypt, lets see what you got!

Stumbling around on the interwebs to make Let’s Encrypt work for me I found this nifty GitHub whose author titles the repository: A .NET library and client for the ACME protocol (Let’s Encrypt CA). The handy QuickStart guide served me well but I want to expand on some of the gotchas that I had ran into:

The Certificate is only valid for 90 days. You will have to generate a new certificate via this process below to have a valid certificate after the validity period expires.

1. ACMESharp Installation

First, install the ACMESharp PowerShell module:

The workstation I was running on did not like that the module was going to make the command ‘Get-Certificate’ available even though it already was. Since I am doing all this work on a throw-away VM, I chose to AllowClobber.

1

Install-Module-Name ACMESharp-AllowClobber

Then, per the QuickStart guide, I loaded the module:

1

Import-Module ACMESharp

2. Vault Initialization

Let’s encrypt stores your Certificates and related artifacts in what they call a Vault. To use Let’s Encrypt, you will have to start by initializing a Vault.

Note, if you run as Administrator, your Vault will be created in a system-wide path, otherwise it will be created in a private, user-specific location.

1

Initialize-ACMEVault

3. Register

Register yourself with the Let’s Encrypt CA:

Provide a method of contact, e.g. an email (note, LE does not support the tel: contact method)

Accept their Terms-of-Service (TOS).

1

New-ACMERegistration-Contacts mailto:somebody@domain.com-AcceptTos

4. Set your Domain Identifier

Submit a DNS domain name that you want to secure with a PKI certificate.

If you want to create a SAN certificate, you will have to do this step, 5, and 6 for each “myserver.example.com” you want to include. I recommend creating all of your PowerShell cmdlets ahead of time to ease this tedious process.

1

2

3

4

5

6

7

New-ACMEIdentifier-Dns home.domain.com-Alias home

New-ACMEIdentifier-Dns file.domain.com-Alias file

New-ACMEIdentifier-Dns plex.domain.com-Alias plex

New-ACMEIdentifier-Dns login.domain.com-Alias login

New-ACMEIdentifier-Dns mail.domain.com-Alias mail

New-ACMEIdentifier-Dns autodiscover.domain.com-Alias autodiscover

New-ACMEIdentifier-Dns legacy.domain.com-Alias legacy

5. Prove Domain Ownership – DNS Challenge

The Quick-Start guide found on the ACMESharp GitHub includes 3 methods to prove domain ownership. For my sake, the easiest way to prove I owned my domain was to complete what is refered to as a DNS Challenge.

If you want to handle the DNS Challenge manually, use the following cmdlet and to print out the necessary instructions that you need to follow on your DNS server/service of choice. Implement the steps described in the instructions before moving on to the next step.

1

2

3

4

5

6

7

8

9

Complete-ACMEChallenge home-ChallengeType dns-01-Handler manual

==Manual Challenge Handler-DNS==

*Handle Time:[1/12/20161:41:51PM]

*Challenge Token:[xfc0oQahXVqdaBlcZbk5nL8H-GSDFCoQ8LGzOL07qVI]

Tocomplete thisChallenge please createanewResource

Record(RR)with the following characteristics:

*RR Type:[TXT]

*RR Name:[_acme-challenge.example.com]

*RR Value:[vNx_fpLgvq0l4rqSATuxhxl9pa155SoeKvNZ98AFB_4]

6. Submit the Challenge Response to Prove Domain Ownership

Once you have handled the Challenge using one of the methods in Step #5, you need to let the LE server know so that it can perform a verification.

I chose to use the DNS Challenge method, so I used this cmdlet to submit my challenge:

1

Submit-ACMEChallenge home-ChallengeType dns-01

7. Verify the Status of the Challenge

Once the Challenge response is submitted, the validation usually takes anywhere from seconds to minutes to perform. I performed a check status of the validation for my domain using the following command.

Until the Challenge has been verified, you should see a status of pending.

If the Challenge fails for any reason you will see a status of invalid. At this point, you cannot re-attempt the same exact Challenge without first Submitting a new DNS Identifier (Step #4).

If the Challenge is successful, you will see a status of valid.

Once the Challenge has been successfully validated, you can check the overall status of the Domain Identifier, which should be valid as well.

1

Update-ACMEIdentifier home

8. Request and Retrieve the Certificate

After you have proved your ownership of the domain name you wish to secure, you can create a new PKI certificate request, and then submit it for issuance by the LE CA.

1

2

New-ACMECertificate home-Generate-Alias home.domain.com

Submit-ACMECertificate home.domain.com

Subject Alternative Names (SAN)

If you want to generate a CSR that lists multiple names, you can use the Subject Alternative Names extension of the PKI certificate request to list multiple additional names other than the primary Subject Name. To do so you specify the -AlternativeIdentifierRefs option with a list of one or more additional Identifier references.

Final Thoughts

All in all, a fairly painless procedure to get yourself a free 90 day trusted SSL certificate for your labs and anything else you see fit so long as you can live with renewing once ever three months. Let’s Encrypt is still fairly new, and may have some exciting stuff for us in the near future as it relates to free SSL certificates. Until then, I’ll be harnessing the Powers of PowerShell.

One thought on ““Playtime is over, Star Fox!” Err I mean.. “StarCom!””

I have really learned newer and more effective things through your blog. One other thing I’d like to say is the fact newer laptop operating systems are inclined to allow far more memory to use, but they furthermore demand more memory space simply to function. If an individual’s computer is not able to handle far more memory along with the newest software program requires that ram increase, it might be the time to shop for a new Laptop. Thanks

Brad Stevens

Brad Stevens is an enterprise consultant, cloud architect, and technical evangelist with over 5 years of experience providing architecture, development, consultancy and design expertise. He works at CDW, a leading re-seller of IT hardware and software and professional services solution delivery. He is based in Portland, Oregon.